Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Senior Management Buy-in (was Top Information Security Management Ch

from [Fred Cohen] Network Security [Permanent Link]
Subject: Re: Senior Management Buy-in (was Top Information Security Management Challenges in the Enterprise Today?)
Date: Fri, 11 Nov 2005 09:18:09 -0800 

On Nov 11, 2005, at 9:10 AM, Brad Bemis wrote:

I like the idea of using a scenario driven approach to making policy
decisions.  How did you go about identifying the situations that
required this level of involvement (i.e. some kind of threat modeling
or risk management matrix across the business, etc.)?

ISO17799:2005 basically mandates it for business continuity planning and I agree with this. I use a process called an information protection posture assessment to identify high and medium risks and combine it with duties to protect to help determine where such decisions are required. You might want to look at http://all.net/ for details on these things. Start with "Security Architecture" and go from there.

FC



Thanks,
-Brad

-----Original Message-----
From: Fred Cohen [mailto:fred.cohen@all.net]
Sent: Friday, November 11, 2005 8:58 AM
To: Brad Bemis
Cc: Richard.Sullivan@neupart.com; 'Cronican, John';
john_blackley@dell.com; security-management@securityfocus.com
Subject: Re: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)

We have also tried a very different approach. In this one we use
scenarios to get responses from executive management. These are
specifically designed to cause policy decisions and to exercise the
decisions in practices. The resulting decisions are then codified in
policy and the strategic scenarios are "played" to train the employees
at each level of the enterprise. The answers give by those who
participate are judged against the top management decisions with toe
resulting policy training generating documentation of employee
awareness, engaging activities for the awareness and training program,
and measurable results.

FC

On Nov 11, 2005, at 8:47 AM, Brad Bemis wrote:

Good question -

In my experience, there are pro's and con's to any approach, but one 

of the most inclusive (and probably most effective) means of policy
formation is creating a policy development council or a policy
subcommittee of an existing security council (preferably with
executive level representation if at all possible).

While there needs to be a point person with responsibility for
actually writing the policies, using a council or subcommittee as a
forum for discussion will ensure that all of the appropriate voices
are heard when it comes to policy development (lines of business,
HR,
legal, risk management, IT, information security, physical security, 

loss prevention, compliance management, internal audit, etc...).

Once the policy has been completed and approved by the council or
subcommittee, it needs to be presented to the board for their input
and signoff.  In the end, your policies should be endorsed (in
writing) by your executive team.  This not only helps to ensure that


everyone understands what is in the policies and why, but it also
helps to set the tone from the top.

Be careful with this kind of approach though - consensus is
important,
but some key decisions (some of which may be unpopular) will be made 

during the policy formation process - be sure they are the right
decisions to properly protect and enable your business.

-Brad Bemis

From: Richard.Sullivan@neupart.com
[mailto:Richard.Sullivan@neupart.com]
Sent: Friday, November 11, 2005 7:54 AM
To: Cronican, John
Cc: john_blackley@dell.com; security-management@securityfocus.com
Subject: RE: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)


Another follow up question:  Were senior management intimately
involved in writing those policies?

We often see IT departments dictating policies that executives are
liable for. It's interesting that CFOs and CEOs could potentially go


to prison over this, then delegate the entire task to people with
nothing to lose.


- Rich





"Cronican, John" <JCronican@sempra.com>
11/10/2005 12:19 PM

To
<john_blackley@dell.com>, <security-management@securityfocus.com>
cc
Subject
RE: Senior Management Buy-in (was Top Information Security
Management 
Challenges in the Enterprise Today?)





Hi all,
My Senior Management are very aware and understand the content of
our 
information security policies.
John

John G. Cronican, Jr. (BEE, MSSM, CISSP, IAM) Sr. Infrastructure
Technologist iProtect Sempra Energy Sempra Energy Corporate Center &


Sempra Energy Utilities
10949 Technology Place
San Diego, CA  92127
(858) 613-5738 (Desk)
(619) 787-1906 (Cell)
(619) 978-2493 (Pager)

JCronican@sempra.com


-----Original Message-----
From: john_blackley@dell.com [mailto:john_blackley@dell.com]
Sent: Tuesday, November 08, 2005 10:09 AM
To: security-management@securityfocus.com
Subject: Re: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)


Further to Brad's excellent post on gathering success stories, I'd
like to ask one favor (because it's an issue in which I have an
interest):
When responding, can you give some indication of whether - or not -
you believe your senior management know and understand the content
of 
their information security policies?



-- This communication is confidential to the parties it is intended to
serve --
Security Posture            securityposture.com          tel/fax
University of New Haven               unhca.com        925-454-0171
Fred Cohen & Associates                 all.net      572 Leona Drive
Security Management Partners    policygeeks.com    Livermore, CA 94550




-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
Security Management Partners policygeeks.com Livermore, CA 94550

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Top Information Security Management Challenges in the Enterprise Today?, Brad Bemis
Next by Date:  RE: ISO Certification, Ozan Ozkara
Previous by Thread:  RE: Senior Management Buy-in (was Top Information Security Management Challenges in the Enterprise Today?), Brad Bemis
Next by Thread:  RE: Senior Management Buy-in (was Top Information Security Management Challenges in the Enterprise Today?), John Nolan
Indexes:  [Date] [Thread] [Top] [All Lists]